Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky...
Transcript of Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky...
![Page 1: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/1.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
1
Industrial control systems
malware and integrity
Results from the Preemptive research project
![Page 2: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/2.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Critical Infrastructures (CI) and Industrial Control Systems (ICS)
• CI are infrastructures that are essential for the functioning of a society and its economy
– e.g., electricity, gas, telecommunications, water, dams, nuclear plants, public health, transportation, financial services, food...
• CI usually rely on Industrial Control Systems
(ICS) – different vulnerabilities with respect to regular IT
2
![Page 3: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/3.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Industrial Control Systems (ICS)
• the organization also have a regular IT network for administration, sales, etc.
– … with regular security problems
3
![Page 4: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/4.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
The Preemptive research project
• Preemptive: “Preventive Methodology and Tools to Protect Utilities”
• focus on cybersecurity of “utilities”:
companies managing electricity, water, gas
• objectives
–prevention and detection –methodology and technology – final testbed
4
![Page 5: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/5.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
The Preemptive research project
• Preemptive is founded by the EU (FP7) –12 european (+israel) partners
(5 research + 7 industry) –6 “end users” (utility operators) – three years (ends Feb 2017)
• many results
– a specific risk assessment methdology
– many specific IDS/IPS tools
• we focus on the results of uniroma3 5
![Page 6: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/6.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
ICS Security: specific aspects
• very peculiar technology – SCADA-related software – embedded system –usually not mastered by regular hacker (good)
• built for safety - not for security
– not to be resilient to malicious software attacks (bad)
• old systems, rarely patched/updated (bad) – patching is costly
• elective targets for specific attackers – terrorists, opposing governments, intelligence
agencies (bad) – much larger resources than regular hackers (bad) – Advanced Persistent Threats, APTs (bad)
6
![Page 7: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/7.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
parentesi su malware e APTs
7
![Page 8: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/8.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
malware
• qualsiasi software che si comporti in modo illecito o malevolo nei confronti dell'utente
• tipicamente associati a un meccanismo di propagazione
– sociale o tecnologico
• moltissime tipologie e varianti
– classificazione molto complessa
– più che una classificazione del software si classificano le tipologie di “comportamento”
• virus, trojan, worm, rasomware, AdWare, SpyWare, ecc.
• es. un malware può essere contemporaneamente trojan e virus
8
![Page 9: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/9.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
propagazione
fonte Microsoft, SIRv11 2011
9
![Page 10: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/10.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
10
zombies e botnet
• alcuni malware rimangono in attesa che il sistema sia utilizzato da un hacker (installano una backdoor) – tipicamente trojan, virus o worm
• un sistema infetto è detto zombie
• una rete di zombies comandabili coerentemente è detta botnet
• spesso gli zombies sono comandati mediante Internet Relay Chat (IRC botnet)
• usi – 50-80% dello spam viene da zombies
• risparmio di banda, indirizzi diversi confondono gli antispam
– Distribute DoS (attacchi famosi a Yahoo, eBay, ecc)
– click frauds (siti con annunci “pay per click”)
– hosting di siti di phishing
• fonte: http://en.wikipedia.org/wiki/Zombie_computer
![Page 11: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/11.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Cybercrime Black Market and ecosystem
11
![Page 12: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/12.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
the market
Fonte: kaspersky (2009)
• botnet: $50 to thousands of dollars for a continuous 24-hour attack.
• Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.
• Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.
• A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.
• Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.
• User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.
• Phishers pay $1,000 to $2,000 a month for access to fast flux botnets
• Spam to optimise a search engine ranking is about $300 per month.
• Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.
12
![Page 13: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/13.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
market participants - levels
RAND - Markets for Cybercrime Tools and Stolen Data, 2014 13
![Page 14: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/14.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
evolution APTs
14
![Page 15: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/15.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Advanced Persistent Threats (cyberwar)
• organizzazioni (es. governi) capaci di minacciare continuativamente un obiettivo
– con mezzi informatici ma non solo
• obiettivi
– compromissioni di sistemi industriali (stuxnet)
• primo rootkit per sistemi SCADA
– reperimento di informazioni (flame)
• screenshot, voice recording, remote control
• virus sofisticati
– sfruttamento di vari zero-day threats
– sfruttamento di collisioni MD5
– infezioni su varie tecnologie (es. bluetooth, PLC, scada)
15
![Page 16: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/16.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Advanced Persistent Threats
peculiarities of APTs • malware usually operated by very big
organizations • no direct profit but political or market advantages • leverage insiders for info gathering and initial
attack • knowledgeable
– about specific industrial processes – about deployed countermeasures (e.g. antivirus
evasion)
• trade time for stealth (slow attacks) • based on zero-days
– e.g. procured on the black market – leverage public cloud facilities
16
![Page 17: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/17.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
famous APTs
• Stuxnet (2010) – target: iranian uranium enrichment facilities – spreads through USB storage and regular IT systems – specifically infects SCADA servers and embedded
systems • change control parameters of centrifuges to induce
excessive vibration – hide from antivirus – exploits several new vulnerabilities – cryptographic attack
• others: Duqu (2011), Flame (2012), Duqu 2.0 (2015)
• apt.securelist.com (kaspersky)
17
![Page 18: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/18.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
fine parentesi
18
![Page 19: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/19.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Integrity techniques for ICS protection and USB security
19
![Page 20: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/20.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
two “realms”
Regular IT Industrial Control System
20
![Page 21: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/21.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
problem setting
• regular IT: considered insecure
• ICS: must be protected from APTs that can easily reach regular IT
• ICS loosely connected
– USB memory sticks are used
• USB memory are used promiscuously
• USB memory is a spreading vector for APT
21
![Page 22: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/22.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
idea
• use the Biba integrity model
– high integrity level: ICS
– low integrity level: regular IT
• for USB memory, we cannot rely on file system access control
– why???....
22
![Page 23: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/23.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
filesystem access control is useless
• USB sticks are used promiscuously on untrusted computers (e.g., employee devices)
• access control is not trusted in these devices
• we cannot be sure that nobody tamper with critical data
• hence, we cannot use file system access control
– we use cryptographic methods: signature
23
![Page 24: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/24.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
problems for USB filesystem signature/integrity
• composite data
– what about deletion or reverting to previous version of a single file?
• common approaches
– signing each file separately
• does not detect file deletion/restoration
• inefficient for large files
– signing each block separately
• does not detect restoration of single blocks
– signing the whole filesystem
• effective tampering detection
• highly inefficient: O(n) time for update, O(n) time for check, where n is the total amount of data stored, we aim at have O(m) for update and check, where m is the data read or written
24
![Page 25: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/25.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
parentesi: merkle hash tree
25
![Page 26: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/26.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
Authenticated Data Structure (ADS)
• a data structure that speed up hash computation and checks
• useful when
– the dataset the hash is computed on (n) is large
– the changed data m are small (m<<n)
– the retrieved data m are small (m<<n)
• typical hypothesis
– client of an ADS can keep a hash (constant size) in a trusted environment
– client of a ADS can use a large amount of untrusted storage
26
![Page 27: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/27.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
ADS typical usage
• by using an ADS, client can detect tampered data before they are used
– e.g., before they cause problem in business processes
• typical application
– cloud storage
• legal proof of correctness or tampering
• service level agreement verification
– backup check
27
![Page 28: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/28.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
many different ADSes
• Easy example: authenticated list
– each element e contains an info e.x and a cryptographic hash e.h and pointers e.prev e.next
– e.h = hash(e.prev.h | e.x)
– efficiency: append O(1), check O(n)
• Merkle Hash Tree
• Authenticated Skip Lists
• static and dynamic
28
![Page 29: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/29.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: how does it work • a (balanced) tree
• each node v contain a hash for the data associated with leaves below v
• client keep only the root hash in a trusted storage
v1,1 v1,0
v2,0 v2,2 v2,3 v2,1
m1 m2 m3 m4
h
data must be ordered
h(.) is a cryptographic hash function
V2,2 = h(m3) V2,3 = h(m4)
V1,1 = h( V2,2 | V2,3 )
root hash= V0,0 = h( V1,0 | V1,1 ) v0,0
29
![Page 30: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/30.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: integrity proof
• proof for mi:
– consider the path from mi to root
– the proof is made of the siblings of the nodes in that path
• example: proof for m2
– v2,0 v1,1
• check:
– assume that client has a trusted version of the root hash (RH)
– RH = h(h(v2,0 |h(m2)) | v1,1)
– compare RH == trusted RH
v1,1 v1,0
v2,0 v2,2 v2,3 v2,1
m1 m2 m3 m4
v0,0
30
![Page 31: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/31.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: check semantic
• client is sure that the data of the reply comes from the dataset associated with the trusted version of the root hash
31
![Page 32: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/32.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: efficiency
• for a balanced MHT creating and checking a proof is efficient
• let n the size of the stored data
• length of the proof is O( log n )
32
![Page 33: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/33.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: update
• we have to update mi to a new version mi’ – root hash will change as well as several
internal hashes
• procedure
– compute proof p for mi and check it
– update the hashes of the path to root starting from mi using content of p
– update trusted root hash
33
![Page 34: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/34.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
MHT: update
• example: update m2 to a new version m2’
• O(log n) time for balanced trees
v1,1 v1,0
v2,0 v2,2 v2,3 v2,1
m1 m2 m3 m4
v0,0
updated from proof
34
![Page 35: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/35.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
ADS use case: check of cloud behaviour
• client stores root hash locally
• ADS can be stored in cloud too
• ADS can be applied to regular cloud storage
– i.e., storage might not know about ADS
Storage Server
Client Application
MHT
answer +
integrity proof
query/update
38664e34f94365882791e78
untrusted
root hash
trusted
35
![Page 36: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/36.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
ADS authenticated query protocol
ADS storage client Storage
AUTH_query(x)
Proof: P1..PK result
regular query(x)
P1==H(result) ?
HashChain(Proof) == RH?
RH
36
![Page 37: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/37.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
ADS authenticated update protocol
update ADS insert x
Update local RH
ADS storage client
data storage
query ADS x
Proof
RH
37
![Page 38: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/38.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
security remarks
• tampering with the ADS cannot lead to undetected data tampering
• to break the protection a has collision must be found
• if an ADS is lost, it can be re-created from data
• essentially an ADS is only a speed-up tool
38
![Page 39: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/39.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
fine parentesi
39
![Page 40: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/40.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
efficient filesystem integrity
• by using ADS we obtain
– integrity check that detect any kind of tampering
– efficiency comparable to any index data structure
• a MHT for integrity of files and directories can be represented by means of files and directories
– ADS stored in the same USB storage
40
![Page 41: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/41.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
architecture of the Host Integrity System
• two realms: critical and regular
• only critical machines are equipped with an “Integrity Manager”
– checks that only genuine data are read
– write proof that data are genuine
– based on hash and signature
• USB memory sticks
– any regular hardware
– a secure zone is identified (a directory)
– critical machines can only read from secure zone
41
![Page 42: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/42.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
special operations
• processes in critical machines read and write USB memory sticks through the Integrity Manager
– redefinition of system call semantic for ADS and root hash handling
42
![Page 43: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/43.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
other elements
• each host M a private/public key
• Certification Authority (CA)
• root hash is signed by private key and written in the memory stick
– …along with certificate of M
• possible support of many secure zones
• initial creation of an empty secure zone
43
![Page 44: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/44.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
architecture
44
![Page 45: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/45.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
architecture
Usb Memory stick
45
![Page 46: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/46.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
gatekeeper
• distributed implementation of the Biba model (no need for networking)
• how to import data/software into the critical realm? special machine: gatekeeper
• gatekeeper
– like a critical machine but can read any data (and write it into a secure zone)
– can implement a “complete mediation” for check possibly malicious data before they enter into the critical realm
46
![Page 47: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/47.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
security remarks
• restoring of a previous backup is not considered an attack
• USB memory stick is considered passive
– no protection against firmware attacks (unless they show tampered data)
47
![Page 48: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/48.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
USB firmware attack: BadUSB
• a malicious USB stick declare to be a keyboard
• when inserted into a PC start to “type” commands possibly
– downloading software (malware)
– executing software
– changing configurations
– typing to create malicious scripts and execute them
48
![Page 49: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/49.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
protection: USBCheckIn
• it is an hardware that prevents “malicious typing”
• when a USB device pretend to be a keyboard the user is asked to type specific codes
• it is a sort of Captcha for USB devices
49
![Page 50: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/50.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
USBCheckIn: startup
50
![Page 51: Industrial control systems malware and integritypizzonia/ssir1617/study/300... · Fonte: kaspersky (2009) • botnet: $50 to thousands of dollars for a continuous 24-hour attack.](https://reader035.fdocuments.us/reader035/viewer/2022071217/6049b64ddcdaa62d663463b6/html5/thumbnails/51.jpg)
© 2
01
7 m
au
rizio
piz
zo
nia
– s
icure
zza
de
i sis
tem
i in
form
atici e
de
lle r
eti
USBCheckIn: keyboard authorization
51